[Webkit-unassigned] [Bug 126627] New: IDNs containing Unicode combining marks should be displayed in Punycoded form

Wed Jan 8 01:08:12 PST 2014

https://bugs.webkit.org/show_bug.cgi?id=126627

           Summary: IDNs containing Unicode combining marks should be
                    displayed in Punycoded form
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Critical
          Priority: P2
         Component: New Bugs
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: mathias at qiwi.be

For security reasons, internationalized domain names containing Unicode combining marks should be displayed in Punycoded form in Safari’s address bar.

Someone could register xn--apple-xvd.com and it would display in Safari’s address bar as apple͢.com, which enables all kinds of phishing attacks.

See <http://blog.dinaburg.org/2014/01/stupid-idn-tricks-unicode-combining.html>.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.